diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-05-03 11:30:57 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-05-03 18:26:38 +0200 |
commit | c8b350392e23c3d33bdc65e6fed49bded672c181 (patch) | |
tree | 0caa45199de27a236a24868dad8cb8685fc2aa19 /src/optimize.c | |
parent | fc4da14128e33d87fa24c019ec8c3a69548bf466 (diff) |
optimize: incorrect logic in verdict comparison
Keep inspecting rule verdicts before assuming they are equal. Update
existing test to catch this bug.
Fixes: 1542082e259b ("optimize: merge same selector with different verdict into verdict map")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/optimize.c')
-rw-r--r-- | src/optimize.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/src/optimize.c b/src/optimize.c index 4ad25fab..6d6a6d65 100644 --- a/src/optimize.c +++ b/src/optimize.c @@ -622,12 +622,14 @@ static bool stmt_verdict_cmp(const struct optimize_ctx *ctx, stmt_a = ctx->stmt_matrix[i][k]; stmt_b = ctx->stmt_matrix[i + 1][k]; if (!stmt_a && !stmt_b) - return true; - if (stmt_verdict_eq(stmt_a, stmt_b)) - return true; + continue; + if (!stmt_a || !stmt_b) + return false; + if (!stmt_verdict_eq(stmt_a, stmt_b)) + return false; } - return false; + return true; } static void rule_optimize_print(struct output_ctx *octx, |